Category: 3. Business

A team of more than 50 ERM leaders and experts were on the ground at London Climate Action Week (LCAW) 2025. The 2025 iteration was by far the largest in the gathering’s seven-year history, with over 45,000 participants. ERM organized more than 10 events, including several with partners like the World Business Council for Sustainable Development (WBCSD) and the Natural Climate Solutions Alliance (NSCA).

The week commenced with the launch of the WBCSD Business Breakthrough Barometer. To many people’s pleasant surprise, the Barometer reveals that 91 percent of 300 leading global businesses have maintained or increased investments in the clean energy and net zero transition vs 12 months ago, with 56 percent citing competitiveness as their primary reason for doing so. At least for this group of companies, backlash is not resulting in backslide.  

Our team captured several key takeaways from our LCAW discussions with business leaders, investors, policymakers, and representatives of civil society organizations. We share insights on how to get from volatility to value and more below.  

Navigate volatility

1. With global uncertainty and upheaval prominent, companies need clear action plans to avoid being blown off course. The ERM-convened Council on Sustainability Transformation launched a report in the lead up to LCAW exploring how companies can reframe and retool their approaches to sustainability during this time of change.
2. With the cost of inaction rising, companies need to quantify ‘do nothing’ options alongside other investment cases and take action that makes progress towards climate goals and generates business value simultaneously.
3. An event we held with WBCSD on industrial heat highlighted how companies are expanding investments in renewable heat despite economic incertitude. Companies are turning towards technological innovation and partnerships to drive progress even when policy support may be insufficient.

Adapt for each geography 

1. A one-size-fits-all-geographies approach no longer works as companies shift from goal setting to implementation, as implementation needs to be tailored to each operating environment.
2. Success depends on recognizing that the energy transition is place-based and emphasizing just transition. The effects of the transition will be felt most where activities occur (e.g., job creation or losses, local economic empowerment or displacement, enhanced adaptive capacity, etc.).
3. No transition plan will succeed without people. Corporate speakers at a just transition roundtable we hosted in partnership with WBCSD said companies must account for the people-related impacts of their transitions and engage people in transition solutions.
4. During an infrastructure-focused workshop hosted with WBCSD, participants stressed the importance of turning a local lens to physical risk mitigation and recognizing that direct (e.g., property damage) and indirect (e.g., supply chain disruptions) risks will vary by site and geography.

Creating value requires getting into the details  

1. Ana Toni, the CEO of COP30, said that businesses need to identify very specifically what they require to progress towards their climate goals. Doing this will enable ‘unlocks’ from policy makers, investors, and others in country plans (like Nationally Determined Contributions and National Adaptation Plans).
2. The complexity of implementing targets and plans within the current operating environment is forcing companies to get down to details. ERM held LCAW sessions on the electrification of industrial heat, long-duration energy storage, and climate markets, including removals and decarbonization in the manufacturing and pharmaceutical sectors.
3. Identifying how sustainability programs create enterprise value is essential. Whether growing market share, lowering operating costs, enhancing energy security, or lowering costs of capital, there are many opportunities to add value A blog ERM published before LCAW explores how companies can use financial quantification to help visualize the full benefits of their sustainability-related actions. There are hurdles as well. Companies participating in a financial quantification roundtable we co-hosted with WBCSD stressed that a lack of consistency in data quality and availability makes quantification difficult. 

Own your narrative 

1. Defining the narrative for your company’s climate action is critical. If you do not tell your story, someone else will. There is no room for greenhushing in a world where investors, policymakers, other businesses, and stakeholders demand to see evidence of tangible action linked to quantified outcomes.
2. Outputs on sustainability – however impressive the metrics – mean little until they are set in the context of what matters to stakeholders. Think about framing your story from the outside in, starting with the meaningful outcomes you can deliver.
3. Communication is an important vehicle for translating the financial quantification of sustainability into language that resonates within and beyond your organization. Tone matters—it is so important to be positive! Participants in an ERM/WBCSD session on quantification and communication stressed the need to avoid overemphasizing risk; human beings respond to inspiration.
4. Narrative consistency is key—there cannot be one message for employees and another for investors. Participants at an ERM roundtable on sustainability in a volatile world emphasized the importance of transparent and consistent stakeholder communication in building trust and credibility.

Seek opportunity 

1. Opportunities emerge during volatility. Companies we spoke with are keeping their eyes open for places where they can create value and build sustainability momentum at the same time. Companies and financial institutions in Asia, for example, are innovating and investing in response to market needs, while global participants at an ERM-supported session on energy storage highlighted the use of the technology as a solution that can generate significant financial opportunity and be a powerful force for decarbonization.
2. Carbon markets and water were high on the opportunity agenda at many of the sessions in which ERM participated. Companies are determining how to build business cases for these and other nature-related issues and integrate them into their sustainability strategies. As companies face pressure to achieve targets, participants underscored the importance of high-quality carbon credits. While concerns remain about greenwashing, logistical barriers, and the need for clearer standards and metrics, there was a consensus that demand stimulation, policy clarity, and technological innovation are crucial to scaling this key market.

Delivering in uncharted territory

Amidst the backdrop of an ever-changing world, a sense of what’s possible in the delivery of climate solutions that make commercial sense spread throughout the biggest LCAW ever. Themes like adaptation, value creation, narration, and opportunity identification emerged as strategies capable of helping companies forge ahead into uncharted territory. ERM was honored to contribute to the conversation.

The Circularity Gap Report Finance is the first empirical global study that quantifies and explains the global financial streams to circular business models, such as resale and repair, which allows for estimating the ‘gap’ in finance for a circular economy. It was authored by the Amsterdam-based impact organisation Circle Economy in collaboration with KPMG International, with support from the International Finance Corporation (IFC).

The report highlights that circular economy investments can deliver risk-adjusted returns. Circular business models generate additional revenue, unlock new markets, and deliver greater value from fewer resources. In addition, circularity is emerging as a key strategy for the financial sector to manage resource risks from supply chain disruptions and material scarcity—risks that are now more relevant than ever, considering trade wars and geopolitical instability.

The sector increasingly recognises these benefits: investment in the circular economy has grown from US$ 10 billion in 2018 to US$ 28 billion in 2023, peaking at US$ 42 billion in 2021. While this upward trend signals a strengthening business case for circularity, the failure to surpass the 2021 peak suggests waning momentum. Banks account for the majority of these investments in the form of debt. Nevertheless, circular investments still represent just 2% of all tracked capital (in the scope of this report), suggesting a vast unrealised potential.

Investments mainly go to conventional applications of circularity, like rental and repair, which have existed for decades. High-impact solutions and innovations in design and production received just 4.7% of all investment, despite their potential to eliminate waste and pollution at the source.

RWE and KRONOS TITAN (KRONOS) are breaking new ground in the sustainable energy supply of industrial sites. RWE plans to build and operate a ground-mounted photovoltaic plant with an output of 24.7 megawatts peak on a 20-hectare site at the KRONOS location in Nordenham, Lower Saxony. RWE has leased the land for this project from KRONOS, and KRONOS will purchase the green electricity generated there by means of a long-term PPA. Construction of the solar plant is scheduled to begin in summer, with commissioning planned for spring 2026.

Carsten Büsing, Plant Manager of KRONOS TITAN GmbH at the Nordenham site: “We are delighted to be working with RWE to lead our site into a more sustainable future. With the new solar farm, we can cover a significant part of our energy needs with green electricity. This plant plays a crucial role in achieving our transformation goals and underlines our commitment to environmentally friendly solutions at the site.”

Katja Wünschel, CEO RWE Renewables Europe & Australia GmbH: “The joint project with KRONOS TITAN shows how industrial customers can play an active role in the energy transition. They provide land and we take over the planning, construction, investment and operation of the solar farm. The customer receives long-term green electricity at predictable conditions. In this way, we combine our expertise in the expansion of renewable energies with our experience in energy trading.”

A total of around 38,200  solar modules will generate approximately 22,000 megawatt hours of electricity per year, enough to cover a significant part of KRONOS’ electricity requirements at the Nordenham site. The immediate neighbours have also been notified about the joint project of RWE and KRONOS.

An image for media purposes is available in the RWE media library (Image rights: KRONOS TITAN).

 

Following the recent unmasking of Singapore National Registration Identity Card (“NRIC”) numbers by the Accounting and Corporate Regulatory Authority (“ACRA”), both the ACRA and Cyber Security Agency (“CSA”) have issued guidance on moving away from using NRIC numbers for authentication and password purposes in the private sector.

With data protection undoubtedly a top concern and priority for individuals and organisations today, our commentary reviews this significant shift in best practices for authentication in Singapore, and the need for education on the appropriate use of NRIC numbers.

Unmasking the Singapore NRIC number

In December 2024, there was a public furore over the inadvertent unmasking of Singapore NRIC numbers by ACRA. A member of the public had, by chance, discovered that the refreshed online portal ACRA had rolled out featured a new search function (which was later disabled) that allowed the full NRIC numbers of individuals registered on its database to be accessed free of charge (i.e. Bizfile People Search). This led to the government issuing a public apology later in December and instituting a review panel to investigate the incident.

Thereafter, in the same month, the Ministry of Digital Development and Information (“MDDI”) issued a statement outlining the appropriate use and misuse of NRIC numbers, which invited public debate. The MDDI made the following key points in its statement:

• As there is little value in masking the NRIC number, the government had been preparing to change the existing practice of masking the NRIC number and move towards unmasking the same eventually. The MDDI explained that masked NRIC numbers actually give individuals a false sense of security. This was because, using some basic algorithms, it was possible to uncover an individual’s full NRIC number from the masked number, especially if the year of birth of the individual was also known.
• In 2025, the MDDI and Personal Data Protection Commission (“PDPC”) plan to start educating the public on how the NRIC number should be used freely as a personal identifier in the same way individuals use their names, and the correct steps that ought to be taken for security, which would involve the proper use of authentication and passwords.

Review panel findings

In March 2025, the government shared the panel’s findings of internal communication errors between ACRA and the MDDI. ACRA’s misinterpretation of the MDDI’s internal directive on NRIC numbers had led ACRA to launch Bizfile People Search with full NRIC numbers alongside corresponding names in the search results, instead of partial NRIC numbers, which had been what was intended. ACRA, together with the Ministry of Finance, and separately, the MDDI, apologised for the incident.

New guidelines on the use of NRIC numbers

On 26 June 2025, ACRA and the CSA issued a joint advisory[1] to guide private organisations on ceasing the use of NRIC numbers for authentication of an individual. On the back of this, the MDDI similarly issued a press release[2] on stopping the use of NRIC numbers as passwords in the private sector. The public can expect more sector-specific guidance in the coming months as the government is working with regulated sectors such as finance, healthcare, and telecommunications to develop them.

Isn’t the NRIC number private information?

Public understanding and consensus has always been that an individual’s NRIC number is private and confidential and, unless required by law, the disclosure of the same is subject to that individual’s consent. This is consistent with the fact that an individual’s full NRIC number is usually masked, whether at the point of collection or disclosure. For instance, the collection of individuals’ NRIC numbers by organisations (in both the public or private sector) for various purposes tends to only require the provision of the last four characters of the NRIC number (i.e. last three numerical digits and checksum of the NRIC number e.g. 567A where the full NRIC number is S1234567A). On the occasion where an announcement of contest winners set outs their names and NRIC numbers, full NRIC numbers would not be spelled out – only the last four characters would be published. Partial disclosure was and is the norm, and a widely-accepted general practice.

The classified nature of NRIC numbers is especially entrenched in the consciousness of the Singaporean public, as it is used by individuals to conduct their private matters. In Singapore, banks and insurers customarily require customers to identify themselves by entering their NRIC number over calls to their hotlines, or online for use of digital services, as part of their customer verification protocol. While fund transfers may require multi-factor authentication (“MFA”), of which entering the NRIC number may only comprise one component, some banks have opted to accept NRIC numbers to expedite customer verification in urgent cases of fraud or scam prevention. Additionally, banks and insurers often prescribe passwords that are a combination of the customer’s full or partial NRIC number and date of birth, to unlock password protected documents such as bank statements, insurance policies or related documents. Needless to say, these documents are secured in this way because they contain sensitive personal data (e.g. financial and health information).

Would the disclosure of an NRIC number constitute a data breach?

We would highlight that even partial NRIC numbers are considered personal data under the Personal Data Protection Act 2012 (“PDPA”), to the extent that an individual can be identified from the partial NRIC number. This is the view the PDPC has taken in its Advisory Guidelines on the PDPA for NRIC and other National Identification Numbers (“Advisory Guidelines”), which were issued on 31 August 2018 (but which is due to be updated). The PDPC had in 2020 also published a series of Frequently Asked Questions for individual and organisations in relation to the treatment of NRIC numbers and physical NRICs, and this appears to have been updated in the light of recent developments.

While the public sector is not subject to the PDPA (although under the Public Sector (Governance) Act 2018, public agencies are required to comply with IM8, which is reportedly a set of instructions aligned with the PDPA but adapted to the public service context), the public outcry that followed the ACRA incident was not surprising. Had the incursion been traced to a private sector entity, it would have been considered a data breach – an unauthorised disclosure of personal data. Accordingly, it would have required mandatory notification to the PDPC, and could also trigger enforcement action by the PDPC.

A notifiable data breach is one that could cause significant harm or is of significant scale. Significant harm occurs where there is physical, psychological, emotional, economic, financial harm, harm to reputation and other harms that a reasonable person would identify as a possible outcome of a data breach. While there are prescribed categories of personal data that if disclosed would cause significant harm (e.g. full name/ alias/ identification number in combination with items such as salary information/ credit card number/ bank account number/ health information, or account name/ number/ username, or account access information like biometric data/ security code/ password/ answer to security question etc), unauthorised access to an NRIC number is likely to cause significant financial harm to the holder of that NRIC number, because of the possibility for that number to be misused for identity theft or fraudulent purposes. For the avoidance of doubt, even though an individual’s full name would constitute personal data, a data breach involving the disclosure of an individual’s full name alone (without any other accompanying personal data) would not give rise to significant harm.

Authentication versus identification

Both the joint advisory by the PDPC and CSA, and the MDDI’s statement in June 2025 distinguish between the authentication and identification of an individual.

Authentication is the more critical process of proving that an individual is who he/ she claims to be; and successful authentication is a condition precedent to permitting the individual to access services or information intended only for him/ her. On the other hand, identification is the act of differentiating one individual from another, and is an end in itself. While both are forms of verification, it is clear that authentication should not be treated as a lockstep process as there are higher stakes involved.

On a related note, a Straits Times Forum letter published on 20 June 2025 titled “Stronger safeguards needed for inter-bank transfers” suggests that authentication should be more layered so as to be watertight. The letter flagged the recent case of a car salesman cheating buyers of over S$341,000 by having them transfer payment to his personal account instead of the company account. The writer was troubled by the lack of built-in checks in interbank transfers to ensure that the name of the recipient matches the name of the holder of the account to which the funds are being transferred. There is no such gap for cheques/ banker’s drafts/ cashier’s orders as bank tellers would have to extract the name of the account holder from the account number, and verify that such name tallied with the printed payee’s name. Mandatory name verification for large transfers was proposed as a safeguard to plug this gap. On 26 June 2025, the Monetary Authority of Singapore stated that it would consider the writer’s suggestion as part of its efforts to better protect customers against fraudulent or erroneous transfers.

Returning to the use of passwords as a method of authentication, the government’s position is that in order for passwords to serve as a reasonably robust defence against unauthorised account access, passwords should not contain information that can be obtained easily, such as full names or their permutations, NRIC numbers, or dates of birth.

The issue the government is trying to address is two-pronged:

• individuals have been using their NRIC numbers, whether partially or in their entirety as their passwords or part of their passwords, to log into their digital accounts;
• organisations have been using full or partial NRIC numbers to authenticate individuals, by setting passwords on their behalf as account log-in credentials, or to enable them to access privileged information (such as unlocking password protected documents), or to perform privileged transactions.

The misuse or publication of NRIC numbers is therefore a real concern, as those privy to another’s NRIC number may be able to abuse this information for impersonation and fraud.

Accordingly, an NRIC number should be treated like an individual’s name – neither of which would, whether separately or together, in full or in part, together with other easily obtainable personal data (e.g. passwords combining an individual’s partial NRIC number and date of birth, such as “567A1Jan2025”), suffice for authentication. Both are simply means of identification.

Organisations and individuals should expedite their transitions away from the practice of deploying NRIC numbers as an authentication measure and consider adopting the following options for purposes of authenticating an individual instead:

• More specific and uncommonly known information that only that individual knows (e.g. complex password);
• An item that only that individual would possess (e.g. security token, smart card);
• An attribute that only that individual would possess (e.g. fingerprint, face, iris, palm vein).

The last two options offer stronger phishing resistance than the first. In terms of passwords, a strong one with enough complexity is typically composed of a series of random words; and where passwords are used, two-factor authentication (“2FA”) or even MFA are recommended as additional layers of security. Essentially, an individual’s name and NRIC number should not be used as passwords or as any basis of authentication.

In fact, the physical NRIC, which indicates an individual’s NRIC number, could be employed as a factor of authentication, as it contains other details (e.g. photo and thumbprint) which can be verified in person, and these additional features serve as security/ safeguards that the NRIC number on its own lacks. 

It is worth noting that the PDPC had previously issued a Technical Guide to the Advisory Guidelines (likewise scheduled to be updated) which provides organisations with tips for the replacement of NRIC numbers as identifiers for individuals, in their applications, websites or other public-facing computer systems.

The PDPC and CSA advise organisations to adopt a risk-based approach when choosing the appropriate authentication method. Factors to consider in designing a bespoke approach include:

• Value and sensitivity of what is being protected;
• Potential threats and vulnerabilities of the authentication method; and
• User experience and accessibility when using the authentication method.

The PDPC encourages organisations to take reference from the PDPC’s Guide to Data Protection Practices for ICT Systems (pages 15 to 16) in devising their authentication practices. For example, 2FA, MFA and complex passwords are particularly important for administrative accounts, as unauthorised access of these very accounts remains one of the most common root causes of data breaches to date. Staff training and restrictions on privileged account changes would also be prudent measures to implement as part of efforts to promote this sea change in mindset.

It is uncontroversial that one’s NRIC number is a unique/ personal identifier. But it will take time for the public education drive to dislodge the deeply embedded, age-old notion that an individual’s NRIC number is private knowledge that an individual is entitled to withhold.

Nonetheless, until the relevant PDPC advisories are formally amended, the NRIC number (as a personal identifier) continues to be subject to the PDPA, and the unauthorised disclosure of the same could engender significant harm. Organisations that handle personal data (which includes NRIC numbers) must still comply with their data protection obligations under the PDPA – beginning with obtaining valid consent from the individual, followed by adhering to purpose and retention limitations, and making reasonable security arrangements to protect the personal data, etc.

Exploitation of personal data and the NRIC number

Cybersecurity awareness amongst organisations and individuals alike is key to avoiding the exploitation of personal data. IT forensics experts have identified new threat actor tactics that could theoretically take advantage of the unmasking of the NRIC number. For example, a prominent threat actor group known by the name of “Scattered Spider” has gained notoriety of late for using social engineering techniques to effect data breaches on its victims. “Scattered Spider” has targeted IT helpdesks by deploying social manipulation techniques including adopting local accents and capitalising on publicly available information associated with mid-level IT personnel and network engineers to convince IT helpdesk staff to reset employee accounts without setting off alarm bells. NRIC numbers could certainly be exploited by the likes of “Scattered Spider” in their data breach attempts.

Key lessons

• Singapore NRIC numbers should be used for purposes of identification only and should not be used as a means of authentication to facilitate the provision of a service or the retrieval of information.
• Organisations and individuals must relook at existing practices of deploying NRIC numbers as authentication measures, including using them as passwords, and phase these out.
• Passwords should not contain NRIC numbers, as the likelihood of one’s NRIC number being compromised and misappropriated is a serious possibility.
• Multiple independent forms and stages of authentication are recommended, and organisations and individuals should stay vigilant of security risks and take active steps to install effective safeguards.

Kennedys regularly advises on data protection laws and cyber incidents in Singapore and worldwide. If you require any assistance in this regard, please contact our authors.

 

[1] https://www.pdpc.gov.sg/help-and-resources/2025/06/joint-advisory-against-using-nric-numbers-for-authentication-by-the-personal-data-protection-commission-pdpc-and-cyber-security-agency-of-singapore-csa

[2] https://www.mddi.gov.sg/newsroom/stopping-the-use-of-nric-numbers-as-passwords-in-the-private-sector/

 

The TRUE Initiative, in partnership with the United Nations Environment Programme, conducted a groundbreaking remote sensing campaign, the first of its kind in Africa, to offer real-world insight into the levels of pollution from vehicles operating in Kampala, Uganda.

Using plume chase technology, where a vehicle equipped with emission analyzers follows a target vehicle while sampling its exhaust plume, this project captured real-world snapshots from Kampala’s fleet in 2024. Researchers analyzed the results and observed that:

• Over 50% of gasoline passenger cars exhibited average nitrogen oxides (NO_x) emissions consistent with pre-Euro certifications, suggesting potential malfunctions or removal of catalytic converters. Although newer gasoline passenger cars under 8 years old showed lower NOx emissions than older cars, their levels were still 5.5 times higher on average than Euro 4 limits.
• Diesel heavy commercial vehicles under 8 years of age showed 14% higher average NO_x emissions than older counterparts. Similarly little differences in average real-world NOx emissions were observed among older and newer diesel vehicles across other groups— passenger cars, minibuses, and light commercial vehicles.
• Diesel minibuses, which had an average age of 25 years, showed NO_x emissions more than 9 times higher than Euro 4 limits and elevated black carbon (BC) emissions. At least 16% of diesel minibuses over 15 years old exhibited visible black smoke from their exhaust during measurement and exhibited 6 times higher average BC emissions than vehicles aged between 8 and 15 years.

Uganda is already working to improve air quality, including by outlining new programs under its National Environment (Air Quality Standards) Regulations and e-mobility strategy. Based on these results, the TRUE Initiative recommends a strengthening of import requirements on all vehicle imports and developing a roadmap to meet Euro 6 standards. For maximum benefits, this should be complemented by routine vehicle inspection programs and mandatory follow-up maintenance that would quickly identify and repair high emitters. Finally, prioritizing public transport and modernizing the aging taxi minibus fleet would significantly reduce vehicle-related air pollution.

Cover Photo: Attendees participated in a live demonstration of plume chasing technology during a kick-off event for TRUE’s remote-sensing campaign in Kampala, Uganda. The workshop was organized by UNEP and local partners in July 2024.